About the series

This 4 part series will discuss the Windows access control model and its implementation in Windows NT and 2000.

Part 4 is the final part of the access control series. This was going to be the only article I was going to post on the topic, but you needed the introductory topics as a prerequisite.

In part 4, I will show you how to implement the ACL editor in your own application, so you can secure anything. I will start off by describing the ACL editor and its features (with the help of some screenshots). I will describe how to utilise the ACL editor for your own objects. Then, the real work begins: the ISecurityInformation interface will be explained and implemented. Each method of the ISecurityInformation will be explained, and example implementations will be presented. A separate section will be devoted to the ISecurityInformation::SetSecurity method (since it is so complicated). Once that is done, we will briefly discuss the other interfaces you can implement (ISecurityInformation2, ISecurityTypeInfo, and IEffectivePermission).

The ACL editor is only available for Windows 2000 or higher.

Windows NT3 and 4 included an older ACL editor. In order to display the older ACL editor, you'll have to call functions not documented on MSDN (you'll need to go to the Sysinternals [^] website for that). If you are using .NET, Keith Brown has a reusable class library [^] that will allow you to use the ACL editor (the associated article has some cool information on the ACL editor too).

Unfortunately, I won't explain how to use the ACL editor as a good security descriptor, or help you regain access to that locked folder of yours. If you need to unlock access to a file you should go to KB308421 [^].

The sample program, Filepermsbox, is a property sheet extension for Windows XP home edition (though it works on any OS above Windows 2000). It recreates the full security tab even if simple file and folder sharing was enabled. That means you Home users no longer need to reboot in safe mode to change file security descriptors. However, Filepermsbox could also be useful for third party shells and security utilities. You can access the security tab in one of two ways. The first way is to use the front-end application (fig. 40). Simply choose your file, and the ACL editor will appear so you can edit it. If you register the DLL (either by the setup or through regsvr32), you can access Filepermsbox though the shell extension. Select a file, open its properties, and select the Filepermsbox tab.

28. Features of the ACL Editor (ACLUI)

If you ran the sample program in part 3 [^], you may have come across the ReadSD program that can read and edit a registry security descriptor. Apart from the nondescript user interface, you may have noticed many problems with my ACL editor.

Access masks appear as an untranslated hexadecimal number. Ideally, the access mask should be presented in textual form (such as "Read", "Write", or "All Access").

Auto-inherited ACEs are presented separately. As a result, most security descriptors will appear empty, confusing the user. We need to find a way to show both explicit ACEs and inherited ACEs at the same time.

The DataGridView performs no validation of the username nor the access mask until it is too late.

The Inheritance flags editor is presented as a modal dialog. You cannot edit anything else whilst setting the flags.

If you aren't allowed to edit the registry security (quite common when you run as a limited user), ReadSD could fail.

Most options are too confusing to inexperienced users. This increases the chances of users making mistakes.

Last, but not least, ReadSD only works for registry keys.

Dialog 1: The General ACL Editor

The Windows 2000 ACL Editor first appeared as a redistributable for Windows NT4.0. It offers a common user interface that can read and edit a security descriptor and its parts, including the control flags, the DACL, the SACL, and the owner. It's called the ACL editor (it may also be called the security tab, the permissions sheet, or ACLUI). The term ACL editor is somewhat of a misnomer—the interface can edit the SACL and the owner of an object, as well as its DACL. More significantly, the ACL editor is object-agnostic. The same ACL editor can be used to change the security for a registry key, COM interface, DCOM class, file, directory, service, or process object.

Let's take a look at the interface. Select a file, and open up its properties. In the property sheet that follows, select the Security tab and now you can start viewing the ACL editor.

If you are on Windows XP, the Security tab will be unavailable by default. In that case you can either try to disable "simple file sharing" in Folder Options, or if that can't be done, download my Filepermsbox sample program.

Figure 41: The main property sheet of the ACL editor.

The general ACL editor is a property sheet consisting of a list view (user name) and a checklist box (generic access rights). The first list is responsible for showing which users / groups / computers (they're collectively called principals, but for simplicity, I'll just call them users. Wait a moment... didn't I call them trustees before?) the DACL applies to. The bottom checklist displays the generic access rights for the selected user. Notice a number of features of the general property sheet:

The title of the box displays the name of the object. The ACL editor asks you for the title of the object.

The list of SIDs are obtained from the DACL, and the ACL editor may ask you to translate these SIDs to user names.

There is an Advanced button to open up three more dialog boxes. Once again, the ACL editor asks you if you want to enable this button.

If you want to add a user, you can click the "Add..." button. This will show the dialog box in fig. 42.

You can make the ACL editor read only. The controls that handle ACL editing are grayed.

The ACL editor shows the relevant access rights that apply to this object. It asks you for the list of access rights.

Inherited ACEs and other allow / deny ACEs are merged into one user permission. The ACL editor bunches together deny DACEs and allow DACEs, asks you for generic access rights, and then remaps the rights so that they can be merged. In short, if two DACEs apply to the same user, they are appended.

Figure 42: Choosing a server / user

When you press Add..., you are presented with another dialog box (fig. 42). This window is the IDsObjectPicker dialog, which allows you to select users, groups or computers. For this dialog, the ACL editor asks you to supply the domain name where it can lookup the list of users. Unless you are editing a remote object, this will normally be the default domain name. Once again, the ACL editor will ask you to translate SIDs to user names when it fills the details view at the bottom of the dialog box.

If you are editing a DACL with entries too complicated to be represented as generic rights, the ACL editor will name the DACE "Special". In that case, you will need to enter the advanced ACL editor.

The Advanced ACL Editor

Figure 43: The advanced ACL editor.

If it was enabled, you can press the Advanced button to receive the full power of the ACL editor. The advanced ACL editor is a huge dialog sketched in fig. 43. It consists of four tabs which edit the DACL, SACL, owner and (from WinXP) effective permissions. The first dialog you see is the advanced permissions dialog, which allows you to fully edit the DACL. Its central user interface is a details view that shows all the entries of the DACL. This time, the inherited ACEs and the explicit ACEs are shown separately.

For each ACE, there is an entry for the ACE type (Allow / Deny), the user name, the permission name, the propagation flags, and (from WinXP) the inheritance source. With the exception of the ACE type, all of the entries in the details view are object specific (e.g. List folder contents may make sense for a directory object, but it's meaningless for a mutex). To complete the encapsulation, the ACL editor will ask you for the names. When the advanced permissions box is initialized, you will be asked to translate the following:

SIDs to user names.

Generic rights to specific rights.

Access rights to text.

Propagation flags to text.

Inherited ACEs to inheritance source (where the ACE came from).

If you want, you can also have a "Default" button, that resets the DACL to its default. When the user presses "Default", the ACL editor will ask you to supply a default security descriptor. This assumes you know what the default security descriptor is (and before adding a default security descriptor, remember your definition of a default security descriptor may not be everyone else's definition).

If your object supports auto-inheritance, you can display two further checkboxes. The "Inherit from parent" checkbox toggles the auto-inheritance of the DACL. When you disable auto-inheritance, you are asked if you want to make the inherited ACEs explicit, or remove them (if you read part 3, this is equivalent to asking for the preserveInheritance member of ObjectSecurity.SetAccessRuleProtection).

The "replace permission entries" checkbox has been affectionately called the sledgehammer button by Keith Brown [^]. It's so called because it goes down to every child object and resets all of their security descriptors to a simple default one (e.g. it can unhide your "secret documents" folder).

Figure 44: The ACE dialog box allows you to edit the individual access control entries in the ACL.

When the user presses "Add...", or double clicks on an entry in the list, a new dialog box appears, similar to fig. 44 (I'll call it the ACE dialog box). The ACE dialog box allows the user to edit the properties of that ACE. They can edit / add rights to the ACCESS_MASK, control the propagation of access rights, and (for domain style objects) the object properties.

When rendering the window, the ACL editor will ask you for the following:

The textual form of each access right. (Reminder: access rights combine to form an access mask.)

Notice you can specify both access allowed and access denied rights in the same ACE. In reality, the ACL editor will split up the access allowed and access denied ACEs into separate entries. You will see the resultant ACL when you exit this box by pressing OK.

If your object doesn't support one of these features (e.g. files don't have children, so propagation doesn't apply to them), you can ask the ACL editor to remove some features.

The ACE dialog becomes interesting when you attempt to edit auto-inherited entries. From part 3, you will know that you cannot edit auto-inherited ACEs. To compensate for this, the ACE dialog box grays the auto-inherited access masks, showing the user that they cannot edit them. Instead, the user must click on Deny to remove auto-inherited entries. Thanks to this wonder UI design, the ACL editor has made the user override the auto-inherit ACEs with deny entries!

Other Features of the ACL Editor.

When the user presses Apply to commit the security descriptor, a number of background checks occur on the ACL. One of the checks that is performed is the ordering of access control entries. If the ACL editor determines that the ACL is not ordered correctly, it sorts the ACL (informing the user of what it did). Contrary to what the docs may say, it is possible to override this sort.

If you've enabled the "SeSecurityPrivilege", you will want to consider showing the Auditing tab. This enables the user to edit the SACL, much the same way as the DACL. The ACL editor will handle the differences between an SACL and a DACL; so as far as you're concerned, the auditing page is a clone of the DACL page. The third tab enables the user to change the owner of the security descriptor. Due to a bug in the Windows 2000 ACL editor, the user can only effectively take ownership of the file (or their group). They cannot relinquish ownership, or give someone else the ownership (this bug was fixed in Windows Server 2003, where any user can be selected). Unless you're on Windows 2000, there is a final tab called the "Effective Permissions" tab. This tab acts as a front-end for the GetEffectiveRightsFromAcl() API, and enables the user to see what rights they effectively have (after including group rights, deny entries, and auto-inherited ACEs).

In order to display the ACL editor, you will need to implement an interface called ISecurityInformation. If you want to implement that interface... you'll have to learn a whole new batch of AdvAPI library functions:

MapGenericMask()

BuildTrusteeWithSid()

GetInheritanceSource()

FreeInheritedFromArray()

GetEffectiveRightsFromAcl()

SetNamedSecurityInfo()

GetNamedSecurityInfo()

TreeResetNamedSecurityInfo()

29. Getting Started

Although there are samples (particularly in the Platform SDK) to get you started, and two MSDN Magazine articles [^] mentioning the editor, there are some very peculiar bugs with the ACLUI, not mentioned anywhere else. When you look at the ISecurityInformation interface, it may look like a COM object, but in reality, it isn't a COM object (fig. 45).

Figure 45: A sample blueprint to implement the ISecurityInformation interface.

That's a pretty intimidating list of functions to implement, isn't it? (It rivals DirectX interfaces in terms of complexity.) What's worse, there is no Typelib to help you implement this interface (so neither ATL nor .NET will help you here). You're either going to have to implement these "COM" functions the low level way [^], or get a library [^] that does it for you.

Constructors / Destructors

If you look closely, you'll see that none of the ISecurityInformation methods take in a filename. Remember, the ACL editor doesn't only work for files. It works for registry keys, kernel objects, services, or anything you like. And here's why. The name and type of object are managed by you, not the ACL editor. So for the above class, I'd recommend you add a class member that denotes the name of your object (or objects, as will be explained later).

This is a pretty good place to enable any privileges you may need. Some of the privileges you may need are "SeSecurityPrivilege", "SeBackupPrivilege", "SeRestorePrivilege", "SeTakeOwnershipPrivilege" and "SeChangeNotifyPrivilege".

If you maintain a user interface, I'd also recommend you have a member denoting the owner window of the ACL editor.

IUnknown

Since this object implements IUnknown, you are required to maintain a reference count (starting at 1). For QueryInterface, the interfaces implemented are IUnknown and ISecurityInformation (and if you want, ISecurityInformation2, ISecurityObjectTypeInfo and IEffectivePermission). Due to an undocumented bug in ACLUI, your object must support the single threaded apartment model.

30. Implementing the ISecurityInformation interface

Now that you have implemented a constructor, destructor, and IUnknown, it's time to add the real functionality into your application.

1. ISecurityInformation::GetObjectInformation() and SI_OBJECT_INFO

When this method is called, you are required to fill up an SI_OBJECT_INFO struct (which influences the behaviour of the ACL editor) and return it to the caller. The SI_OBJECT_INFO struct is mostly self explanatory (with some optional members), but one member is worthy of discussion:

dwFlags: A set of flags that influences the behaviour of the ACL editor. For example, if you do not want the user pressing "Advanced" to show the advanced ACL editor, you can disable it here. If you don't want the user editing the security descriptor, set the SI_READONLY flag. Here are the more important flags:

SI_ADVANCED: Specifies the "Advanced" button will be shown so that the user can enter the advanced UI.

SI_CONTAINER: Indicates that your object is a directory (or behaves like a directory). You should set this flag if the object is a directory so the ACL editor can apply inheritance on the object. You may also want to enable the inheritance stuff.

SI_EDIT_AUDITS: Shows the "Auditing" tab (so the user can edit the SACL). To view / edit the SACL, you must have the "SeSecurityPrivilege".

SI_READONLY: Does not allow the user to change the security descriptor.

SI_OWNER_READONLY: Does not allow the user to change the owner (to change ownership, the user must be the owner, or have the "SeTakeOwnershipPrivilege").

SI_MAY_WRITE(undocumented): "Not sure if the user may write permission".

SI_NO_ADDITIONAL_PERMISSION(Undocumented): ??????

SI_NO_ACL_PROTECT: Select this if you haven't implemented inheritance. This hides the auto-inherit checkbox.

SI_OWNER_RECURSE: Shows the "Sledgehammer" button, which enables the user to reset all children's security descriptors to default. Do not show this unless you have implemented recursive walking in your object.

SI_RESET_DACL_TREE: Like SI_OWNER_RECURSE, but for the Advanced Permissions tab.

SI_RESET_SACL_TREE: Like SI_RESET_DACL_TREE, but for the "Auditing" tab.

SI_SERVER_IS_DC: Set this if you have determined the computer is in a domain environment.

SI_OBJECT_GUID: (domain-specific) If your object supports multiple inheritance, you should enable this flag.

My advice on choosing a suitable dwFlags: First disable features your object doesn't support (kernel objects don't support auto-inheritance, so you can remove most of the container stuff). Next disable features you are denied from doing (if you don't have the "SeSecurityPrivilege", don't show the Auditing tab). Then disable features that you feel will be too complex to implement. For example, if you don't want to implement the complicated sledgehammer button (more on this in section 33), you can disable the SI_RESET_DACL_TREE. The Filepermsbox sample program has two predetermined dwFlags (one for file, one for folder), then programmatically disable flags based on what it's allowed to do.

Warning: the strings and handles passed to ACLUI must remain valid throughout the lifetime of the editor, and only in the destructor do you get a chance to free any resources. If you use dynamically allocated memory without some kind of Copy-On-Write optimization, start watching your app leak memory.

2. ISecurityInformation::GetAccessRights() and SI_ACCESS[ ]

When we toured the ACL editor, I described how the ACLUI asks your class for a string each time it fills out an access right. This is the function ACLUI uses. Rather than calling GetAccessRights() for each access right, ACLUI will call this function once. What you do is supply a hash table (implemented as a SI_ACCESS array, C-style), and the ACL editor will use this hash table to map access masks into a display string and their values.

Access rights are object specific (e.g. a process object would have a "Create Process" access right, rather than a "Read File" right), but as a guide to what you should supply, you can check out Filepermsbox's SI_ACCESS structure in fig. 47. The SI_ACCESS structure consists of the following members:

pguid: If you are securing a domain style object, specify the object GUID here. Otherwise, set this to GUID_NULL.

mask: the value assigned to the action (e.g. for a file read, this would be FILE_GENERIC_READ).

pszName: The display name of the action (e.g. "Read").

dwFlags: Where the permission is displayed (in the main sheet, the advanced sheet, show for folders or files, ...).

SI_ACCESS_GENERAL: The entry will be shown on the Basic security page (use for generic access rights like "Modify", "Read & Execute").

SI_ACCESS_SPECIFIC: The entry will be shown on the Advanced security page (use for advanced access rights like "Append Data", "Read Extended Attributes").

SI_ACCESS_PROPERTIES: The entry will be shown on the Properties page (use for property changing rights).

0 (zero): If this entry is encountered in the ACL, it will be labeled as such in the Advanced Security page (e.g. "Read, Write and Execute").

SI_ACCESS_CONTAINER: The entry will only be shown if the object is a container (behaves like a directory).

Figure 47: A sample <SMALL>GetAccessRights</SMALL> implementation, for files and folders.

If you've set the dwFlags parameters properly, you can use just the one array of SI_ACCESSes to send to the ACL editor. However, if you need different lists depending on whether the advanced page or the basic page is being shown, GetAccessRights() will tell you which page is being initialized. Don't forget to set the number of entries and the default access right before returning to the caller. If the ACL editor comes across an access right that cannot be mapped into one of these entries, it will say the object has "Special permissions". One wrong entry in the SI_ACCESSes array could mean the difference between having all "Special permissions", or the correct permission name.

The SI_ACCESS array is the first of a number of C-style hash tables you need to supply to ACLUI.

3. ISecurityInformation::MapGeneric() and GENERIC_MAPPING

Apart from object abstraction, this is one case where the ACLUI sets itself apart from my ReadSD program [^]. This method serves as a bridge for MapGenericMask(). The ACL editor has supplied you with an ACCESS_MASK, and is expecting you to remap generic rights to object specific rights using MapGenericMask(). The GENERIC_MAPPING structure (another hash table) is object specific, and may also be used elsewhere in the class, so Microsoft recommends you have the GENERIC_MAPPING as a global structure (don't worry, you can keep it constant). You may already know how to map generic rights into object specific rights if you bothered to look inside ReadSD [^], but in case you haven't, there are two tasks to perform here:

Fill out a GENERIC_MAPPING structure which will transform the system generic access rights into specific rights.

Call MapGenericMask() so the ACCESS_MASK is cleared of generic rights.

If your object supports GUIDs, you can build separate GENERIC_MAPPINGs depending on the GUID supplied as necessary. For files / folders, the GENERIC_MAPPING is relatively simple.

4. GetInheritTypes() and SI_INHERIT_TYPE[ ]

This method is responsible for translating the cryptic CONTAINER_INHERIT_ACE, etc. into a more meaningful entry (e.g. "This folder, and child folders"). This also includes combination names like CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE (which should translate to "This folder, child folders and files"). The process involves filling out an array of SI_INHERIT_TYPEs (the ACL editor sure does use a lot of C-style hash tables). Think of GetInheritTypes() as a GetAccessRights() for propagation flags.

5. ISecurityInformation::PropertySheetPageCallback()

This method notifies you whenever a new page is being displayed, or destroyed. This may be useful if you are subclassing the ACL editor, because it sends you the new window handles. I tend to use GetLastActivePopup() to get the dialog box window instead, but you may or may not need them. If you don't need the window handles, you can simply return S_OK.

6. ISecurityInformation::GetSecurity()

I've deliberately left the Get / SetSecurity() methods for last, because this is where the real fun begins. When the GetSecurity() method is called, you are required to fill a SECURITY_DESCRIPTOR variable with the requested SECURITY_INFORMATION.

At first sight this method appears to be an inviting filter for the Get*ObjectSecurity() APIs (after all there's a SECURITY_INFORMATION, and a SECURITY_DESCRIPTOR, and we have the object name). If you've read part 2, you'll know that you should not use these APIs. Reminder: these APIs do not support inheritance. So what do we use instead?

You should use GetSecurityInfo() or GetNamedSecurityInfo(). Since the ISecurityInformation::GetSecurity() calls were designed for Get*ObjectSecurity(), some translation to GetNamedSecurityInfo() is in order. The Get variants are the easier of the two to translate.

Had the user pressed the Default button, ACLUI will call GetSecurity() with fDefault set to true. Then you should set ppSecurityDescriptor to a default SECURITY_DESCRIPTOR (Filepermsbox calls out its helper function GetDefaultSecurity() to perform this task). When choosing a default security descriptor, make sure that the default is a secure one. I've given some guidelines on choosing a default security descriptor back in part 1.

When you're designing a default security descriptor, note that what you define as a default security descriptor may not agree with the end user's definition of default security descriptor. If you're not sure what the default security descriptor should be, disable ACLUI's Default button feature (Windows disables it).

One more thing, before you return the security descriptor to the caller, it must point to a block of memory that was LocalAlloc()'ed. This is because the ACL Editor will LocalFree() it later. GetNamedSecurityInfo() calls LocalAlloc() to allocate the security descriptor automatically, so you can just pass the returned security descriptor to the ACL editor. Unfortunately, it's bad news if you are using something like .NET, because it means you have to marshal a native object outside of its scope.

Figure 51: a simple implementation of GetSecurity() (GetDefaultSecurity() left unimplemented).

ISecurityInformation::SetSecurity()

Once the user has changed the security descriptor, pressed Apply and responded to the warnings, this method is called. This is easily the most difficult of the methods to implement. Some of the problems may be self inflicted (Filepermsbox stores the filenames in an STL list, and needs to convert each name into a writable C-style string), some are due to ACLUI being object-agnostic, but most are due to ACLUI doing almost no work until this method.

You can find out which pieces the user altered by peering into the SECURITY_INFORMATION parameter. All the changes will be placed in a modification security descriptor. Your task is to apply the changes onto the object. Recover the name of your object and start enabling any privileges you need. Then take a deep breath, and good luck.

7. Set Security with SetSecurityInfo().

The docs [^] for SetSecurity() say: "The application must merge the new security descriptor parts into the object's existing security descriptor". The older security functions which replace the security descriptor parts rather than merge them are out of the question.

If you've read part 2, you'll know that using SetSecurityInfo() (or SetNamedSecurityInfo()) is the preferred method of writing a security descriptor. In order to use SetSecurityInfo(), you need to split up the SECURITY_DESCRIPTOR into its pieces. Getting the DACL, SACL, Group, and Owner isn't too difficult (especially with the help of GetSecurityDescriptorDacl() and friends).

Figure 52: extracting the security descriptor parts so you can call SetSecurityInfo().

The harder part is translating the control bits. In part 2 [^] (when setting the security descriptor), I presented a mapping that can transform the control bits into appropriate security information flags. This mapping will help you detect whether the user has checked the auto-inherit box, and translate any inheritance settings into appropriate SECURITY_INFORMATION flags.

If your object is a container, then it is likely you need to add support for the sledgehammer checkbox.

8. Handling the Sledgehammer Checkboxes.

It's not documented in the SDK, but in order to detect if the user selected one of the sledgehammer checkboxes, you need to test the psi parameter for the presence of one of the following flags: SI_OWNER_RECURSE or SI_RESET_DACL_TREE or SI_RESET_SACL_TREE. If any of these flags are present, you will need to recursively apply the security descriptor to all child objects. You can guarantee that this code will involve collections somehow.

Since ACLUI knows nothing about your objects, it doesn't know how to walk them, so you need to walk the directory tree yourself. Walking a directory tree shouldn't be terribly difficult. It's simply FindFirstFile(), FindNextFile(), and FindClose() (or the equivalent function if your object is not a folder). Then with the list of files obtained, set each security descriptor one-by-one.

This technique may seem to work, but it suffers from a flaw. Suppose you are currently denied access to the folder. In that case, FindFirstFile() will fail, and you won't be able to walk the tree. How do we walk a directory for which we currently have no access? Don't dismiss this problem, resetting the security is a major use case for your application (the user has just been locked out of a folder, and now needs you to bail them out).

The answer here is to cheat! You can't walk the file system, because the access checking mechanism is preventing us from doing so. What we need to do is disable the access checking mechanism altogether! If you have the "SeBackupPrivilege", you can disable the access checking mechanism, open any file with FILE_TRAVERSE rights and successfully walk all child objects! This is what Windows does for Windows 2000. Unfortunately, this "off" switch is only available if you are a member of the BackupOperators / Administrators group. How can we walk the folder if we aren't an administrator?

If you're on Windows XP or later, you can use the recently documented TreeResetNamedSecurityInfo() API. TreeResetNamedSecurityInfo() behaves like the normal SetSecurityInfo(), but can also walk a file-system folder or a registry key and set the security for all children. It works by impersonating a highly privileged account, and using the privileged account to walk the tree. Optionally, you can supply a callback function that you can use to receive notifications about each file. If you need to cancel the tree walking operation, you should set the PROG_INVOKE_SETTING member to ProgressCancelOperation. Filepermsbox makes use of the callback to provide a progress dialog.

This method bears the advantage that it is a supported API, thus will be more compatible with future Windows versions. However, TreeResetNamedSecurityInfo() is a recent API not available in Windows 2000, and has its own share of undiscovered bugs.

Figure 54: Setting security with the help of TreeResetNamedSecurityInfo().

If you intend to support Windows 2000 clients, you'll need to emulate the TreeResetNamedSecurityInfo() API. That leads us to the final option: walk the directory manually, with a tweaked traversal algorithm.

This is one of those few cases where depth-first recursion is a better choice than breadth-first recursion. When you're currently denied access to the object, you have to write the security descriptor first, then read the directory contents. This works if you are granting yourself access, but what if you're denying access to yourself? That is, you currently have access to the directory, but you are about to write a security descriptor that will deny access to yourself. Once you write to the main folder, you can no longer read the directory. In this scenario, you need to traverse the directory first, then set the security descriptor. That's two different algorithms you will need.

Filepermsbox solves this dilemma by applying both algorithms. Get the list of files before, recurse into all these children, then apply the security descriptor to the root folder, then get the list of files after, and repeat the recursion.

If you are faced with this problem, I recommend you find a way of bypassing or switching off the access check mechanism (e.g. enable a privilege, or contact a system service). Trying to engineer an algorithm that handles access checks is quite cumbersome.

If you are writing the DACL or SACL, there is one more task. Although the root folder should get the security descriptor manufactured by the user, the folder's children should get a different security descriptor: "D:ARAIS:ARAI". That is, all children should get an empty security descriptor that auto-inherits. This security descriptor will erase all explicit ACEs, leaving only the auto-inherited ACL from the root folder. For Filepermsbox, this happens to be the same as the default security descriptor (from ISecurityInformation::GetSecurity()). If you were using TreeResetNamedSecurityInfo(), you could make use of the KeepExplicit parameter to perform this for you.

9. Handling more than one object.

Someone asked this once question in the newsgroups, so I added this section. Can the ACL editor work for more than one object? At first glance, of course it can't. The ACL editor is only capable of showing one security descriptor, and that means you can only show one object. How in the world can the ACL editor edit more than one object?

It can show it if the objects have equal security descriptors. If the two objects have equal security descriptors, only one will need displaying, and you can apply it to both. However, what constitutes an equal security descriptor? There is no API called IsEqualSecurityDescriptor() to help us, so we need to compare the security descriptors ourselves. This is not only useful for the ACL editor, but can be used in security auditing applications (e.g. AccessEnum [^]).

Two security descriptors can be considered equal if AccessCheck() behaves in the same way for both of them. The group, owner, version, and persistent control bits (SE_DACL_AUTO_INHERIT_REQ is a temporary flag and doesn't count) need to be equal for both security descriptors. For the DACL and SACL, not only do they have to have the same entries, you have to take into account the proper ordering of the ACEs.

If either the group, owner, persistent control flags, or version are different, then there is no equality.

If the DACLs have differing entries (i.e. one grants access to yourself, whereas the other one denies access), then they can't be equal (AccessCheck() will behave differently).

If an Allow ACE precedes a Deny ACE, then the disordering of the ACLs will change the behaviour of AccessCheck().

However, if two allow ACEs are in the wrong order, the proper ordering of ACEs will still be upheld, and the AccessCheck() would be the same for both. In general, any change which preserves the ordering of the DACL will not change the security descriptor.

2, 3 and 4 should apply to the SACL as well as the DACL.

It's quite clear you will need to split up the security descriptor back into its parts to perform the equality. Splitting up a security descriptor was explained in part 2. For the DACL / SACL, you could perform a byte-wise comparison (which is what Windows does), but that means you will mistake case 4 as an unequal security descriptor. Filepermsbox goes a little further--it takes one ACE in the first DACL and searches for this value in the second DACL. This method successfully passes case 4, but if the DACL is disordered (case 3), then Filepermsbox will mistakenly pass the DACL. The final test you need to perform is checking the proper ordering of ACEs.

So in summary, two security descriptors are equal if:

The group and owner SIDs are the same.

The version and persistent control flags are the same.

The DACLs and SACLs contain the same number of entries.

The DACLs and SACLs contain the same entries.

The DACLs and SACLs are in canonical order.

If you can utilise .NET / ATL / SDDL / Regular Expressions, by all means make use of them to help you.

If you have found that the security descriptors are not equal, you can ask the user if they want to change the security descriptor so they are equal (this is what Windows does). Once you have made the security descriptors equal, you can just display the first security descriptor. The user will edit just the first security descriptor, and when the user presses Apply, your SetSecurity() method is called. All you need to do now is apply this one security descriptor to all the selected objects in a loop (shouldn't be too difficult if you implemented the sledgehammer functionality).

With everything done, it's now a matter of calling SetPrivateObjectSecurityEx(), SetSecurityInfo(), SetNamedSecurityInfo() or TreeResetNamedSecurityInfo() as appropriate. Then clean up the privileges and resources, and return any errors back to ACLUI.

After all that work implementing ISecurityInformation (particularly SetSecurity()), you'd probably want to rest on your laurels and move onto the next project now. However, there are three other interfaces that your class can implement. If you choose not to implement the other three interfaces, you'll lose out on some quite useful features. If you are implementing these interfaces, don't forget to inform ACLUI by updating IUnknown::QueryInterface() and ISecurityInformation::GetObjectInformation().

10. ISecurityObjectTypeInfo::GetInheritSource() and INHERITED_FROM[ ]

You only need this method if your class implements ISecurityObjectTypeInfo. This method is only available if the operating system is Windows XP and above. This method enables the ACL editor to show where an inherited ACE came from. It will show the result in the Advanced DACL page. In order to implement this interface, you need to make use of the GetInheritanceSource(), which fills out (drum rolls)... a hash table!

Once GetInheritanceSource() is called, it is good practice to call FreeInheritedFromArray() on the returned INHERITED_FROM array to free up the memory.

The ACL editor will not do this for you. You must implement code that copies this array to a LocalAlloc()'ed one, and return the LocalAlloc()'ed array instead. The operating system does free the block with a LocalFree() (even though it's not documented). One final problem will be how to free the contents of those strings you copied. Filepermsbox reuses the technique used in section 13 and mentioned in the C FAQ [^], which is to allocate a big block of memory and use some creative pointer arithmetic to mimic a two dimensional array.

This is a rather questionable design decision made by Microsoft to implement this API, and we have to resort to this unclean hack.

11. IEffectivePermission::GetEffectivePermission()

You only need this method if your class implements IEffectivePermission. This method is only available if the operating system is Windows XP and above. The ACL editor uses this function to implement its Effective Permissions feature (this provides a user interface for the GetEffectiveRightsFromAcl() API). To show the "Effective Permissions" tab, you'll need to specify an undocumented flag in your SI_OBJECT_INFO struct (SI_EDIT_EFFECTIVE). To implement it in your code you have four tasks to perform:

Extract the ACL from the provided security descriptor.

Allocate an array of ACCESS_MASKs.

Build a TRUSTEE from the supplied SID. If you need to translate the SID to a name, make sure you do the SID lookup using the supplied pszServerName parameter.

Call GetEffectiveRightsFromAcl() with the buffer you allocated in step 2, and the TRUSTEE you built with step 3. Then set the output parameters to the output results.

The reason you should LocalAlloc() the array of ACCESS_MASKs is because the ACL editor will call LocalFree() on the buffer once it has finished with it. If your object supports GUIDs, you'll have a bit of extra work to do. You must fill out a OBJECT_TYPE_LIST[] array with the property tree for the object (along with the GUIDs).

12. ISecurityInformation2::LookupSids() and SID_INFO_LIST

Sometimes, the ACLUI will be unable to translate SIDs from binary form into a user name. It just can't quite pass in the right parameters to LookupAccountSid(), or maybe LsaLookupSids() is required. In these cases, you may be able to translate the SIDs. If you override ISecurityInformation2::LookupSids(), you can override the SID lookup process, thus allowing you to translate the untranslatable SID.

LookupSids() passes you an array of SIDs. You are expected to translate as many as you can, and put the resultant principal / display names in an array of SID_INFO structures (a SID_INFO_LIST). To return the data back to ACLUI, you are expected to wrap the structure in an IDataObject. That means implementing another COM interface (only IDataObject::GetData() needs to be implemented). Since the SID_INFO_LIST must last at least as long your CDataObject, you should make your CDataObject manage the SID_INFO_LIST. Filepermsbox does not implement this interface (J. Brown [^] should help you better than I). However, if you have created a CDataObject, your LookupSids implementation can look like Fig. 53.

13. ISecurityInformation2::IsDaclCanonical()

Earlier on, I told you that the ACL editor sorts the ACLs so they obey the proper ordering rules. If you attempt to hand it a disordered ACL, ACLUI will sort those entries into the correct order. If you implement this method, you can override the ACL sort. The method is rather simple: you are handed a pointer to ACL, and you should return TRUE if the ACL order is correct, or FALSE otherwise. As for checking if an ACL is sorted, that's left as an exercise for the reader.

Filepermsbox needs the ordering of the ACLs to always be correct, so it always returns FALSE (it doesn't implement this method).

33. Presenting the interface

If you have reached this far into the series, you have successfully implemented an ISecurityInformation object, ready to be called. All that's left now is to open up the ACL editor. You can call either CreateSecurityPage() (if you have a property sheet dialog), or EditSecurity() (if you don't). Any of these functions will show the ACL editor.

And that's it! Filepermsbox adds on the following user interface elements...

14. Adding a Progress Dialog.

ISecurityInformation::SetSecurity() could take a long time to complete. (It sure took a long time to code!) Therefore, you may want to consider adding a progress dialog. Since there is a high probability for failure (you usually aren't allowed to write security descriptors), you should inform the user whenever there is a failure, and this is where a progress dialog comes into its own. I've chosen Michael Dunn's progress dialog (here). It's placed on a separate worker thread, created before the ACL editor is created (I couldn't create a thread in ISecurityInformation::SetSecurity(), because the thread is impersonating at that moment). To support the Cancel button, I've made use of the callbacks in TreeResetNamedSecurityInfo().

15. The Property Sheet Extension

Filepermsbox optionally provides a shell extension that's associated for all files and folders. The shell extension is based on the SDK samples (with some help provided by the "Complete Idiot's Guide to Writing Shell Extensions"). This is one of the few shell extensions that work for multiple files and multiple folders. When you select multiple files and folders, Filepermsbox checks each file for their security descriptor. If security descriptors aren't available (e.g. FAT32 drive), then the property sheet is not shown.

All security descriptors must be equal, otherwise the user is prompted to reset the security descriptors. Clearly, if the files come from different paths (e.g. one file comes from "C:\Windows" and the other comes from "C:\Program Files\Common Files"), then of course the security descriptors are going to be different. But in this case, you know why they're different. Any attempt at resetting the security descriptor will not make them equal—it will only make things worse. Windows suffers from exactly this bug. Filepermsbox does not. (Filepermsbox parses the paths to see which directory they come from. It does not show the tab in this case.)

Before showing the ACL editor, the property sheet shows you the SDDL form of the security descriptor.

Figure 61: A view of the Filepermsbox property sheet dialog.

16. Filepermsbox API.

Right now, the Filepermsbox API is totally brain dead. There's only one API available, and it's only usable if you have Visual C++ 2003 (this is due to the FileNames parameter):

/** Displays the ACL editor for the filenames specified, so
* the user can edit their security descriptor.
*
* All parameters are in parameters
*
* HWND TheirhWnd - The parent window
* SE_OBJECT_TYPE seObjType - The type of object specified.
* Currently, only SE_FILE_OBJECT is supported.
* const list<const wstring> &FileNames - The list of
* filenames the ACL editor will display. Only the first
* security descriptor will be passed to the ACL editor.
* BOOL AddWritability - Unless set to TRUE, the ACL editor
* will be read-only, meaning the user can't make any
* changes.
*
* Returns TRUE for success and FALSE for failure. A error
* message may be displayed to the user if a unhandled
* exception occurs. You might get more information from
* GetLastError().
**/
USRDLL_IMPORT BOOL __stdcall DoSecurityBox(HWND TheirhWnd,
SE_OBJECT_TYPE seObjType,
const std::list<const std::basic_string<TCHAR> > &FileNames,
BOOL AddWritability);

Figure 62: The main API exported from Filepermsbox.dll.

I've created a more usable .NET wrapper in C++ / CLI (you can call it via OLE automation), which instead of asking for an STL list, asks for a System.String[]. However, since you need Visual Studio 2005 to use it, it's not currently available. When Visual Studio 2005 goes final, I will recompile the solution in VS2005, then you can use my API.

34. Final Thoughts.

ACL-based security was envisioned in the very first months of Windows NT (back in 1989). It remains the most complicated of the different types of authorization. ACL-based security is centered around one function: AccessCheck(). All the structures, ACLs, privileges, and security descriptors exist just to customize the behaviour of AccessCheck(). The primary structure that customises this API is the SECURITY_DESCRIPTOR struct.

The original authorization API was universally deemed unusable by developers, including those in Microsoft. It was far too difficult to create security descriptors that maintain the correct balance between functionality and security. Hence, developers usually shunned security descriptors completely or made substandard security descriptors. However, these poorly chosen security descriptors have led to some of the worst security holes (and the most damaging viruses to go with it) the IT industry has ever seen. Microsoft (and others) realised the difficulty of using ACL-based security, and created new interfaces for the ACL-based functions (examples are in C++, ATL, and most recently .NET).

Despite their complexity, security descriptors can be applied to any object you like with the help of authorization APIs, but are most commonly applied to files, kernel handles and registry keys. The authorization API relies on the authentication API doing its job properly, and borrows a number of structures from the authentication API, such as the SID, access token and impersonation level.

In this series, you were shown how to program ACLs using the older method, and using three of the available security libraries. With that in place, you were shown how to implement the ACL editor in your applications so you can allow the user to edit security descriptors.

I hope you have enjoyed my series on the Windows Access Control Model. The series was designed to cover just enough topics for you to program the ACL editor, which is why it is quite thin on security topics. We didn't talk about role-based security (a simpler type of security model which secures according to which group you belong), or code based security (another simpler model which secures by what action you are taking). These newer security models are best exploited with the help of the .NET framework (though they are available for native applications).

Active directory security, based on private security descriptors, was conveniently glossed over in this series. However, since private security descriptors can get extremely complex, especially for administrators, Microsoft has provided an alternative scripting API for them. The Resource Kit / Technical Reference are good references for studying Active Directory Security.

Even if you haven't benefited from this series, I certainly have benefited from writing it. Thanks to this series, I was able to update Filepermsbox to v1.10, with these fixes:

The privilege code has been rewritten. This fixes the leaked privilege bug. The privilege is now only enabled for very short periods, and is no longer process wide.

The progress dialog code has been rewritten to be more responsive, more accurate, and more stable.

The "sledgehammer checkbox" algorithm has been rewritten. Win2K should be much more stable.

Updated the code to compile with VS2005.

Started a developer API (you'll have to wait for .NET v2.0 to be released however).

35. History

QueryServiceConfig was altered to handle files instead of services. Thus, Filepermsbox was born.

24/12/2004

Filepermsbox and QueryServiceConfig were released.

12/2004 - 3/2005

Filepermsbox was updated through to v1.09. QueryServiceConfig to v1.03.

24/3/2005

Started work documenting my experiences for CodeProject.

26/3/2005

Split article into four parts.

6/4/2005

Part 1 of the series was uploaded.

12/4/2005

Moved a couple of sections from part 2 back into part 1. Fixed the horizontal scroll bar whilst I was at it.

23/4/2005

Part 2 of the series was uploaded. This contains an updated TOC.

14/5/2005

Part 3 of the series was uploaded. TOC updated again.

21/6/2005

The entire series is now up. All articles were updated to reflect the change.

07/09/2005

Updated Filepermsbox to v1.11.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

Share

About the Author

Mr. Shah is a reclusive C++/C# developer lurking somewhere in the depths of the city of London. He learnt physics at Kings' College London and obtained a Master in Science there. Having earned an MCAD, he teeters on the brink of transitioning from C++ to C#, unsure of which language to jump to. Fortunately, he also knows how to use .NET interop to merge code between the two languages (which means he won't have to make the choice anytime soon).

His interests (apart from programming) are walking, football (the real one!), philosophy, history, retro-gaming, strategy gaming, and any good game in general.

He maintains a website / blog / FAQ / junk at shexec32.serveftp.net, where he places the best answers he's written to the questions you've asked. If you can find him, maybe you can hire Mr. Shah to help you with anything C++[/CLI]/C#/.NET related .

Comments and Discussions

hi i have a completion homework for this year about acl..and your program is about which ı have to do.so this is a useful program but when ı run this program in studio 2008 the debug says me files FilePermissionsBox.lib couldn't found..please put the full program code and upgrate it in this site..
ı must do it accidently..
excuse for my bad english.
ı will wait the upgrate and the answer of my question...